26 Mar Ransomware: GPCode strikes back Nicolas Brulez
29 Nov GpCode-like Ransomware Is Back VitalyK
15 Aug New Gpcode - mostly hot air VitalyK
12 Aug Gpcode - here we go again VitalyK
26 Jun Another way of restoring files after a Gpcode attack VitalyK
17 Jun Gpcode update VitalyK
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Back in November 2010, we wrote a blog post about a new variant of the Gpcode Ransomware.
Kaspersky lab discovered a new variant today, in the form of an obfuscated executable. Please review the technical details for further information. The threat was detected automatically thanks to the Kaspersky Security Network as UDS:DangerousObject.Multi.Generic.
Specific detection has been added and the threat is now detected as Trojan-Ransom.Win32.Gpcode.bn
The infection occurs when a malicious website is visited. (drive by download)
Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal’s public RSA 1024 key to encrypt it. The encrypted result will then be dropped on the Desktop of the infected computer, inside of the ransom text file:
We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008.
GpCode was initially detected in 2004 and it reappeared almost every year until 2008. Since then, the author has been silent. A few copycats created some imitations of GpCode that were mostly hot air and not real threats because they weren’t using strong cryptographic algorithms.
As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive. Back in 2006 and 2008, we managed to offer a few ways of recovering and even decrypting your data with our decryption tools.
Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.
Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte.
The malware detection was added today as Trojan-Ransom.Win32.GpCode.ax. Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.
If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days - we haven't seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.
People who are not should be aware of the problem and should recognize GpCode from the first second when the warnings appears on your screen. Pushing Reset/Power button on your desktop may save a significant amount of your valuable data! Please remember this and tell your friends that if you see a sudden popup of notepad with text like this:
Don't hesitate and turn off your PC, pull out the power cable if this is fastest!
Another sign of infection is immediate change of the Desktop background to something like this:
We will keep posting more information and screenshots as we continue our investigation.
The latest Gpcode variant, which we wrote about here, is much less of a threat than its predecessors. The claims made by the author about the use of AES-256 and the enormous number of unique keys were a bluff. The author even didn’t use a public key in encryption, so all the information needed to decrypt files is right there in the body of the malicious program.
Our analysis shows that the Trojan uses the 3DES algorithm but the author dug up an off-the-peg Delphi component rather than going to the trouble of creating his own encryption routine. The Trojan's code is pretty messy throughout – and very different in style to previous versions of Gpcode – which indicates that the author isn't much of a programmer.
We've called this new variant Trojan-Ransom.Win32.Gpcode.am. Our antivirus updates include procedures for restoring encrypted files – so if you've fallen victim to Gpcode.am, just update your av databases and run a full scan of your machine. And because Gpcode was spread by another malicious program, P2P-Worm.Win32.Socks.fe, don't be surprised if your antivirus brings some other nasties to light.
Today we heard a disturbing rumor about a new version of Gpcode. We immediately began talking to victims and trawling the Internet for samples.
After some digging, we found a sample that answers the descriptions victims have given us. The program's currently being spread via a botnet (name withheld for security purposes).
Gpcode leaves a text file named crypted.txt which includes a ransom demand of $10. The file also contains the author's contact details: an email address, an ICQ number and a URL. The web page page contains the following text in Russian:
Для вас 3 новости, не очень хорошая и две очень хороших и Начнем мы с неочень хорошей.
Неочень хорошая новость заключается в том, что все ваши файлы зашифрованы современным алгоритмом AES-256.
В программе использован метод Открытых-закрытых ключей.
Используется 99999 клюей для шифрования, на каждой зараженной машине используется один ключ, повторов нет.
Перебор ключей к алгоритму AES-256 невозможен в ближайщие 1000 лет.
Надежды на Антивирусные компании - Нет.
Алгоритм AES-256 используют американские спец службы для шифрования своих документов.
И вот первая Хорошая новость:
Файлы можно дешифровать.
Вторая очень хорошая новость:
Для дешифрации необходимо заплатить всего-то - 10 долларов.
Our previous blog on Gpcode said we'd managed to find a way to restore files in addition to those files that can be restored using the PhotoRec utility.
It turns out that if a user has files that are encrypted by Gpcode and versions of those same files that are unencrypted, then the pairs of files (the encrypted and corresponding unencrypted file) can be used to restore other files on the victim machine. This is the method that the StopGpcode2 tool uses.
Where can these unencrypted files be found? They may be the result of using PhotoRec. Moreover, these files may be found in a backup storage or on removable media (e.g., the original files of photographs copied to the hard disk of a computer that has been attacked by Gpcode may still be on a camera’s memory card). Unencrypted files may also have been saved somewhere on a network resource (e.g., films or video clips on a public server) that the Gpcode virus has not reached.
We can't guarantee that files will be restored, as the method used relies not only on the user having unencrypted versions of the affected files but also on the characteristics of the infected machine. All the same, the results we achieved during testing (80% of encrypted files were restored) suggest that it's worth doing if you need to recover your files.
The more pairs of files that can be found the more data that can be restored.
Detailed instructions on the use of the StopGpcode2 tool can be found in the description of Virus.Win32.Gpcode.ak.
Our StopGpcode project has attracted a lot of attention from individual researchers and organizations who are interested in solving the puzzle of the blackmailing virus. Thanks for all the feedback.
Among other things, we've been asked a lot about how the virus propagates. Having analyzed a number of infected computers we've come to the conclusion that the virus gets onto the victim machine with the help of another malicious program – a bot with Trojan-Downloader functionality. The victim machines had been infected with this malicious program well before Gpcode appeared on them; and the bot downloaded a whole range of other Trojan programs in addition to the Gpcode virus.
The RSA private key hasn't been found, but some interesting ideas have surfaced. For instance, a detailed analysis of the algorithm used by Gpcode has shown that the author of the virus made an error which makes it possible (under certain circumstances) to decrypt encrypted files without the private key.
This method restores from 0% to 98% of all encrypted files on the computer. The results depend on a number of factors, beginning with the system that was attacked. At the moment it's impossible to give an average number of files that could be recovered from a 'typical' computer.
Kaspersky Lab researchers are currently working on creating a file restoration utility that will utilize this new method.
Currently, it's not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition.
When encrypting files, Gpcode.ak creates a new file next to the file that it intends to encrypt. Gpcode writes the encrypted data from the original file data to this new file, and then deletes the original file.
It's known that it is possible to restore a deleted file as long as the data on disk has not been significantly modified. This is why, right from the beginning, we recommended users not to reboot their computers, but to contact us instead. We told users who contacted us to use a range of utilities to restore deleted files from disk. Unfortunately, nearly all the available utilties are shareware – we wanted to offer an effective, accessible utility that could help restore files that had been deleted by Gpcode.
What did we settle on? An excellent free utility called PhotoRec, which was created by Christophe Grenier and which is distributed under General Public License (GPL).
The utility was originally created in order to restore graphics files (presumably that's why it's called PhotoRec, short for Photo Recovery). Later, the functionality was extended, and the utility can currently be used to restore Microsoft Office documents, executable files, PDF and TXT documents, and also a range of file archives.
You can find a full list of supported formats here. The official PhotoRec utility site is here. The PhotoRec utility is part of the TestDisk package, and you can find the latest version of TestDisk, including PhotoRec here.
It should be stressed the PhotoRec excels at the task it was designed for: restoring file data on a specific disk. However, it has difficulty in restoring exact file names and paths. In order to address this issue, we've developed a small, free program, called StopGpcode.
If you've fallen victim to GpCode, don't pay the author of the virus to restore your data. Use PhotoRec instead – if you want, you can make a donation to the developer of the program.
The description of Gpcode contains detailed instructions on how to manually restore files attacked by the virus using PhotoRec and Stopgpcode.
The whole new Gpcode outbreak has set me thinking about attackers and victims in general. Yes, decrypting the key used by the new Gpcode is a thorny problem and there's no guarantee of success. So I'd like to remind everyone that common sense is as improtant as good technology.
Passivity on the part of victims gives cyber-attackers free rein. If you've lost your data to Gpcode and are desperate to recover it…even if you give in and rush to purchase an egold account, you can still help stop whoever's behind this. Don’t just send the PIN code to the blackmailers. Send a copy to the support service of the e-payment system you are using. This will help the investigators track the criminal. And tracking the criminal means s/he might even be caught red-handed.
On the other hand, victims failing to take any action guarantees that the criminal will never be caught – which means there will be new victims – or the same victims will suffer again…and again...and again.
Final thought – I hope that a fourth post on this subject isn't misleading anyone. There is no Gpcode epidemic; we've seen a limited number of infections to date.
However, technical threats aside, it's user awareness that continues to be a global issue. Stop being a victim, back up your data and take my comments above in context of Gpcode's history. And then review your own information security in this context as well.
If you read Vitaly's blogpost yesterday, you'll know that on the 4th June 2008 we detected a new variant of Gpcode, a dangerous file encryptor. Details of the encryption algorithms used by the virus are all in Vitaly's post and the description of Gpcode.ak.
Along with antivirus companies around the world, we're faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key.
Of course, we don't have that type of computing power at our disposal. This is a case where we need to work together and apply all our collective knowledge and resources to the problem.
So we're calling on you: crytographers, governmental and scientific institutions, antivirus companies, independent researchers…join with us to stop Gpcode. This is a unique project – uniting brain-power and resources out of ethical, rather than theoretical or malicious considerations.
Here are the public keys used by the authors of Gpcode.
The first is used for encryption in Windows XP and higher.
The second is used for encryption in versions of Windows prior to XP.
The RSA exponent for both keys is 0x10001 (65537).
The information above is sufficient to start factoring the key. A specially created utility could be of great help in factoring.
We're happy to provide additional information to anyone involved in stopping Gpcode. To keep everyone up to date, we've set up a dedicated forum.
Following on from Vitaly's post about the new Gpcode variant, I just thought I'd remind everyone to back up their data.
That way, if you do fall victim to Gpcode and your files get encrypted, at least you won't have lost any valuable information.